Embed Size (px)
Citation preview
SEPTEMBER 2009
PROTECTION OF PERSONAL INFORMATION BILL
(09) 2009
Content
• Overview: Timetable, aim
• 9 principles
• Exceptions and special provisions
• Automatic electronic communications
• Consent/purpose
• The Regulator
• Codes of conduct
• Table of content of the Bill
• Conclusion
Timetable for introduction of PPI
Bill (09)of 2009 was tabled in August to Parliament by Cabinet.
• It will now go through the Parliamentary process: hearings before the National Assembly portfolio committee.
• Could be signed by the President first half of 2010.
• It will then take another year before the start of its implementation, including the drafting of regulations, the setting up of a National Information Regulator‟s office and other support structures.
So there is time for all businesses to prepare their operations and minimize the impact of the legislation.
The aim of PPI
• To give effect to the constitutional right to privacy
• To regulate the manner of collection, usage, processing, retention and
deletion of personal information
• A statutory regulatory agency to be established, information
commissioner: to register, monitor, regulate, educate and prosecute the
offences
• To endorse codes of conduct to make industry sectors self-regulated
• To fall in line with international standards for trans border data flow
The law applies to all private and public bodies who handle personal
information .
9 principles in PPI Bill
Personal information must be:
• Obtained fairly and lawfully and disclosing the purpose (purpose driven) and used only for the original specified purpose
• Adequate, relevant and not excessive to purpose
• Get consent as far as it is practical and offer an opt-out option (consent)
• In some cases opt-in will be mandatory
• Accurate and up to date and delete if requested (control)
• Accessible to the subject
• Kept securely and destroyed after its purpose is completed
• The responsible party has an obligation to comply with all principles
• Trans borders compliance
They are exclusions and exemptions for each principle and certain circumstances.
1. Accountability
• Designate a staff manager to be responsible for adherence to privacy principles throughout the company
• Draft a company privacy principles code to be used by all departments
• Train all staff affected
• Subscribe to an industry code, advise and scrutinize
• Register with Information Regulator
2. Disclosure
When gathering data from individual consumers marketers shall advise
them of:
1. What information is being collected
2. How the information will be used
3. Record their consent
When acquiring a list from another organization, must insure that consent
was obtained for such usage
3. Controlling the use of information (purpose)
• The purpose for which information is collected shall be identified
before the time of collection
• The collection shall be limited to what is necessary as identified by the
company
• All involved in the use, transfer, rental, sale or exchange of data must
be aware of the exact nature of the list‟s intended usage
4. Safe storage of information of customers
• All those involved in the use, transfer, rental, sale or exchange of
mailings lists should agree to be responsible for the protection of data
and take appropriate measures to ensure against unauthorized access,
alteration or dissemination of list data
5. Respect for confidential and sensitive
information
• Lists owners and users must be protective of consumer‟s rights to
privacy of sensitive information like religion, health and sex life, race,
political persuasion and criminal behavior and positive consent will
have to be obtained ( some industry exceptions)
6. Give consumers control of usage of information
• Make reasonable efforts to provide personal own information to consumers on request
• The marketer must remove the consumer‟s name from all internal lists or rental to third parties at the request of the consumer at anytime of such request
• The marketer must amend any personal information at the request of the consumer or when aware of changes to the data. There is a duty of accuracy in keeping the information (present requirement of PAIA of 2000)
7. Security safeguards
• Ensure the integrity of personal information and unlawful access
• Information processed by person acting under authority of responsible
party
• Security measures in place
• Notification of security compromises to regulator and data subjects
8. Information no longer required
• Formal guidelines and implementation procedure guidelines must be
develop to ensure safe destruction or disposal of personal information
no longer required.
Exceptions and special provisions
Note: Public Domain is excluded
• Separate provision has been made for the protection of special (sensitive)
personal information like religion, health and sex life, race, political persuasion
and criminal behavior.
• Section ( sect 66) regulates the unsolicited electronic communications to „opt-
in” conditions (except for present customers)
• (Sect 67) regulates the compilation and use of directories and ( Sect 68)
automated decisions making
• Deals with the privacy and advertising to children.
PPI: E-mail, SMS, Fax, automatic dialing
machines offers
• Section 66 mandates that consent is obtained before contacting new
consumers by Email, SMS, automatic dialing machines- opt-in
requirement- (spam protection).
• Does not apply to telemarketing
• Positive consent does not apply for existing customers
• ECT Act to be reviewed
“Consent” “purpose” and usage
• “Purpose” for collection and usage must be disclosed up front
• “Consent” means any freely given, specific and informed expression of will where data subjects agree to the purpose of usage and processing of personal information
• An “opt-out” system presumes that the consumer wants to be contacted for marketing offers BUT the system allows people to block the use of their information.
• An “opt-in” system presumes that the consumer does not want to be contacted ( even if the information is from publicly available source) and it requires that every consumer be contacted to gain explicit permission.
• “Implied consent” can apply to existing customers
Regulator’office & Complaints
• Establishment of a Regulator as an independent authority to administer
the Bill, issuing codes of conduct, registering companies who intend to
process personal information ( to check the purpose and transparency
compliance)
• Procedures set out to lodge a complaint with the Regulator
• Regulator‟s powers and procedures outlined
• Regulates the investigations process
• Offences and penalties
Codes of conduct
• Provisions in the Bill for registration by Associations of business sectors codes.
• If the code accepted by the Regulator, the sector becomes self regulated and
report to the regulator on its processing of complaints and , from time to time
has its code reviewed
• Should a company not adhere to the recommendations of the Association, the
remedies and penalties of the Bill will apply.
• An industry with a Code will also vet its members for compliance to the Bill,
and if accepted as a member, the process of prior investigation will not be done
by the Regulator.
Conclusion
Requirements as Industry standards to reflect:
• High degree of transparency and responsibility in gathering and handling consumers‟ personal information, emphasis on security safeguards of databases and computer systems
• Set standards for opt-in and opt-out procedures and registers
• Set standards for active, technical, management changes to current practices for information gathering and handling
• Encourage companies to have privacy policy and communication with staff, training to handle procedures
• Registration with the Information Regulator and negotiation to have the standards endorsed under the PPI or be member of an accredited industry association.
Table of content of the Bill ( 12 chapters)
• Chapter 1 : Definitions and purpose
• Chapter 2 : Application provisions
• Chapter 3 : Principles and processing of information
• Chapter 4 : Exemptions
• Chapter 5 : Information Protection Regulator
• Chapter 6 : Notification and prior investigation
Table of content of the Bill ( contd)
• Chapter 7 : Codes of conduct
• Chapter 8 : Unsolicited electronic communications
• Chapter 9 : Trans-border information flows
• Chapter 10 : Enforcement
• Chapter 11 : Offences and penalties
• Chapter 12 : General provisions
Thank you
Thank you
any questions???
